[Esapi-user] AuthenticationHostException

Rohit Sethi rklists at gmail.com
Mon Feb 28 07:04:01 EST 2011

+1 for disable by default

On 2/28/11, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
> On 02/27/2011 08:20 PM, Jim Manico wrote:
>>> I guess the real question is around the value of this Intrusion Detection
>>> Rule (i.e. detecting a host change mid-session)?> Wouldn't you run into
>>> problems with AOL proxy and the like if you simply do .equals() checks on
>>> IP
>>> addresses?
>> Definitely! This kind of defense does NOT work in a consumer-facing
>> internet type of app, but often DOES work well in some intranet settings.
> This definitely is something that does NOT work on the Internet for the
> very reasons cited. Its been discussed in great detail on other lists
> (WebAppSec, SC-L, etc.).
> It can be useful for intranet, and most likely once everyone cuts over to
> IPv6 in the next 20 yrs and NAT starts to die out (there are many who think
> that routers, switches, etc. will eventually stop supporting NAT at some
> point), it might eventually useful on the Internet again.
> I've dealt with IDM systems that try to use this same check, but it is a
> bit more flexible. The project that we use allows one to either configure
> a specific list of comma-separated trusted proxy IPs or to specific IP
> subnets that one trusts as proxies.  If ESAPI isn't going to get that
> complicated, then we could just add a property to control whether it is
> enabled or not. (But I would argue that it's default is to disable it as I
> suspect that most uses of ESAPI--at least the early ones--are more apt to be
> Internet facing web applications.)
> -kevin
> --
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

Sent from my mobile device

Rohit Sethi
Security Compass
twitter: rksethi

More information about the Esapi-user mailing list